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REMARKS 

The Examiner has objected to the specification for contaming mi embedded 
hyperlink on Page 2, line L Applicaiit respectfully asserts that such objection has been 
avoided by virtue of the amendmeni made herei«above to the specification. 

The Examiner has rejected Ciatms 1-3, 5-10, 13-14, 16-18, 20-25, 28-29, 31 and 
55 under 35 U.S.C. 103(a) as being unpatentable over Trkca et al. (U.S. Patent No. 
6,453,345) m view of Stevens (TCP/IP lUostrated). in addition, the Examiner has 

rejected Claims 4, 19, 32-38, 40-47 and 49-52 under 35 li.S.C. 103(a) as being 
unpatentable over Trkca, in view of Stevens, in further view of Cheriton (U.S. Patent No. 
7,054,930). Applicant respectfitny disagrees with such rejection. 

With respect to independent Claims 1 and 1 6, the Examiner has relied on Pages 6- 
1 1 ill Stevens to make a prior art showing of applicant's claimed "reassembling one or 
more of the incoming datagrams into a segment structured in comphance with a transport 
ptotocol layer" (see the same or similar, but not necessarily identical language in the 
aforementioned independent claims). 

Specifically, the Examiner has argued that "[ijt was well known that in the 
Interaet Protocol there are multiple layers and tMt each layer contains different modules, 
such as the TCP module and the UDP raodnie of the transport layer" and that "[ilt was 
also well known that in order to get to the data in the application layer packet, such as the 

pay load and the packet type, the transport layer niodide must process the transport layer 
packet to reveal the application layer packet," as "evidenced by Stevens Pages 6-1 1." 

Applicant respectfully disagrees. First, applicant respectlully asseits that the 
exceipt from Stevens relied on by the Examiner merely relates to TCP/IP layering (see 
Page 6) and states that "[tjhere are more protocols in the TCP/IP protocol suite"' (see 
Page 6) "at ditTerent layers in the TCP.''1P protocol suite" (see Figure 1.4 caption on Page 
6), Clearly, only disclosing that multiple protocols exist at different layers in the TCP/IP 
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protocol suite, as in Stevews, fails to specificaUy teach "reassembling one or more of tlie 
inconiiHg datagrams into a segment structured in compliance with a trajisport protocol 
layer" (emphasis added), as claimed. 

Second, it also seems thai the Examiwer lias relied 00 an Official Notice argument 
to reject applicatit's specific claim iaaguage. For example, applicant notes that the 
Examiner has stated that "[ijt was also well knowti that in order to get to the data in the 
application layer packet, such as the payload and the packet type, the transport layer 
module t^iust process the transport, layer packet to reveal the application layer packet," as 
noted above. Applicant respectfully asserts that simply arguing that it was well biov\T3 to 
process a transport layer packet to reveal an application layer packet, as noted by the 
Examiner, flails to e vet) suggest " reassembling one or more of the incoming datagrams 
into a segment structured in compliance with a ti'ansport protocol layer" (emphasis 
added), as claimed. 

Thus, in response to tiie Examiner's apparent reliance on Official Notice in 
rejecting applicant's specific claim language, appiicam again points out the remarks 
above that clearly show the manner in which some of such claims further distinguish 
Trcka. Applicant thus formally requests a specific showing of the subject niatter in ALL 
of the claims in any foture action. Note excejpt from MPEP below, 

"If tiie applicant traverses such an [Official Notice] assertion tlie examiner should 
cite a reference in support of his or her position." See MPEP 2144.03. 

With respect to independent Claim 1, the Examiner has relied on the following 
excerpt from Trcka to make a prior art showing of applicant's claimed "protocol-specific 
module processing each reassembled datagram based on the transport protocol layer 
employed by the reassembled datagram." 

"With Surthex- reference to h'lQ. 3, the Post-Capture Fxoce«s:Lng 
!!Sod!i,Le 98 {serves in -part: ass an irJiierface to the trisff ic ;iiiaiy;-i;! 
clatafoases 36. These cSatabas«!S! are us«d by ch^ axialysi.^ 
applioatiorrs 100 to suore and iisanipulace selected po:>:i:ionK of. 



- 14 - 



traffic cwjta. In operation, archived traffic dat?> is loaded into 
the E:-j:af f Jx: analysis ciatabasess 96 f.r.oia the Data. Piayback Ursit- 68. 

of the cyclic recorders 82., 84. As the raw trafi;ic data is read-in 
1 < I < 4 3 ! ^ 's-> . \ i M w Jo 98 

decrypt:; the data (if the data is encrypted), and filters-out 
ii riicrkeiis j:.'a;E;«5<i on 'us;^;?: -ijpfiKn. •: ied ci-.i. t;e>: ;ia ; i.ri ac;dit; !.ois , to 
facilitate the s;Ab;5ecraent ancdysi.'?. of tha i;at«. tho Post -Capture 
Processsinq- Module 98 processes the packets based oa protocol- 

nsnT cranzactions . The Post-Capture Processing Module 38 is 
described in further detail below." {Col. 13, lines :J2-49-eK5phasis 



Applicant respectfvilly asserts that tire excetpt fiom Trcka relied on by the 
E,xaminer merely discloses ihat a "'Po-st-C apiure Processing Moduie '>is processes ihe 
packets based on protocol-specific p^Kket fields ClcaiK, only tiencrfslly di^iclosing a 
module {hcix pioce^ses packets based on ptotoco! specitic packei fields, as in '! rcka. faiis 
to meet applicant's claimed " protocol-specillc module processing each reassembled 
datagram based on the transport protocol layer employed by the reassembled datagratn" 
(emphasis added), as claimed. 



With respect to independent Claims 32 and 41, the Examiner has relied on Col. 2, 
lines 29-34; Col 4, lines 2-11; Col. 7, lines 28-32; and Col 12, lines 29-40 in Trcka to 
make a prior art showing of applicant's claimed "recei ving copies of datagrams transiting 
a boundary of a network domain into an incoming packet queue" (see the same or similar, 
but not necessarily identical language in the aforementioned independent claims). 



Applicant respectfiilly asserts that the excetpts fiom Trcka relied on by the 
Examiner simply teach that "the system captures and records the packets passively" (Col. 
2, lines 30-31), "software which continuously routes at least some of the passively- 
captured tratTic data to a cyclic data recorder" (Col 4, lines 4-5), "[t]he archival 
recording generated by the above-described process is in essence a complete repl ica of all 
valid network ti'afHc" (Col 7, lines 28-30), and "the archival data streaiii generated by 
the Archival Data Processing Module 90. , ,is. . .routed to. . .enable the automated analysis 
of such data" (C:ol 12, lines 29-33). 
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Only generaiiy disclosing captunng and recording packets, as in rrcka. does not 
teach ''receiviiig copies oi'dataaiams iranshiiig a boundary of a network domain'' 

temphaMs added) as claunet 1- fjvt 1 sck.i c\ ^tos'- \ o! s^.\^se^ thnt the atchual 
icootdinu IS m evsetu'o a cofnp>eto e.^l valid network uatTiC as noted <sbo%e 

which does not niei^l applicant's specificallj' clauned "teceis nig copies of daiagianB 
transiting a boundary of a network dontain" (emphasis added), as claimed. 

Still with respect to independent Cfainis 32 and 41, the Examiner has relied on the 
following excetpt from Trcka to make a prior art showitig of applicant's claimed 

techntqxie of "each datagram being copied from a packet stream" ( see the same or similar, 
but not necessariiy identical langiiage in the aforementioned independent claims). 

"As discussed below, th® original ti-jr.ing of the incoming packet 
stream Is i:ievertheless preserved by inserting the date/tim© staiaps 
into the packet jstraam." (Col. 14, lines 34-36} 

Applicant respectfliUy asserts that only disclosing that the original timing of the 
incoming packet sti-eam is preserved fay inserting the date/time stamps into tire packet 
stream, as in Trcka, fails to even suggest aiiy sort of copying, let alone that "each 
datagram [is] copied from a packet stream,'* as claimed. 

F'lirtber, with respect to independent Claims 32 and 4.1, the Examiner has reHed on 
Pages 4-1 1 in Stevens in addition to the rejection of Claim i to make a prior art showing 
of applicant's claimed "'reassembling one or !i>ore such datagrams from the incoming 
packet queue into network protocol packets, each staged in a reassembled packet queue" 
(see tlie same or similar, but not necessarily identical language in the aforementioned 
independent claims). 

First, applicant respectfully asserts that the excerpt fioni Stevens relied on by the 
Examiner merely relates to TCP/IP layering (see Page 6) and states that 'ttjhere are more 
protocols in the TCP/IP protocol suite" (see Page 6) "at different layers in the TCP/IP 
protocol suite" (see Figure 1 .4 caption on Page 6). Clear ly, only disclosing that multiple 
protocols exist at different layers in the TCP/IP protocol suite, as in Stevens, fails to 
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speciftcaily teach ' Veasserobiing one or more such datay ams,' ai^d pat ticulatly not 
' reassembliiig one or more such daiajtranis from the tnconung packet queue into network 
piotocol pdcLeiN (.ach -^taued jii a reassembled packet queue (emphast^ added ^ a^ 
claimed \pphcant <,mpi>a^!ze<^ that Pages 4-11 in Stevens as tehod on bs tK I xarasncj 
does nut esen iiig^est aju sou of {eassembhng, tnconjniu packet queue oi reassembled 
packet queue, and especially not ra the maarter clairaed by applicam. 

Second, it also seems that the Exatniner has relied on an Official Notice arguitseiit 
to reject applicant's specific claim language Tor example, applicant notes that the 

Lxarainei has stared ai the tejectton of C iaim 1 fe'sed on b\ the Lxammer that '| i|t \\as 
a!s>o x\eil kno^vn that m order to get to the data m the appltcuiton ]a\ct packet sitch as the 
payload and the packet ivpe, die uansport la\c5 module must process the tianspon Uner 
packet to reveal tlie application layer packet," as noted above. Applicant respectfully 
asserts that simply arguing that it was well known to process a iTaiisport. layer packet to 
reveal an application layer packet as noted by the Examiner, ftiils to even suggest 
"reassembling one or more such datagrams fromihe.incomijig.packet.t^^ into 
network protocol packets, each staged m a reassembled packet queue " (emphasis added), 
as claimed. 

Thus, in response to tlie Examiner's apparent reliance on Official Notice in 
rejecting applicant's specific claim language, applicant again points out tiie remarks 
above that clearly show the manner in which some of such claims further distinguish 
Trcka. Applicant thus formally requests a specific showing of the subject matter in ALl> 
of the claims in any future action. See MPEP 2144.03 above. 

Moreover, with respect to independent Claims 32 and 41, the Examiner has relied 
on Col . 3, line 66-Coi. 4, line 16 in Trcka to make a prior art showing of applicant's 
claimed "scanning each network protocol packet from tlie reassembled packet queue to 
ascertain an infection of at least one of a computer virus and malware" (see tlie same or 
similar, but not tjecessarily identical language in the aforementioned independent claims). 
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Appiicant respectftiUy asserts that such excerpt from Trcka only discloses that "a 
real-time momtoring application reads the traffic data from the cyclic recorder on a tlrst- 

in-first-out basis and checks for pre-programmed anomalies." However, applicant notes 
that Trcka on ly discloses "software which continuously routes at least soiue of the 
passively-captared traffic data to a cyclic data recorder" (C^ol. 4, lines 3-5). 

Thus, the excerpt from Trcka relied on by the Examiner only discloses reading 
traffic data front a cyclic recorder on a frrst-in-first~out basis and checking such tiaffic 
data for pre-programmed anomalies, where the trafBc data read trom the cyclic recorder 
inchides p assive!) -ca pnired tra ffic data. To this end, applicant respectftiUy points out 
that checking passively-captured traffic data stored in a cyclic recorder, as in Trcka, faiis 
to apecitical! y meet applicant's claimed "'scanning each network protocol packet from the 
reassembled packet queue to ascertain an infection of at least one of a computer virus 
and tnalware" (emphasis added), particiilariy where "reassembi[ed]. . .datagrams [are] 
each staged in [tlie] reassembled packet queue," in tlie context claimed by applicant. 

With respect to independent (^^laini 32, the Examiner has relied on Page 1 1 in 
Stevens and the rejection of Cla im 1 to niiike a prior art showing of appUcant's claimed 
technique "wherein a protocol-specific module processes each reassembled datagram 
based on an upper protocol layer employed by the reassembled datagra^n." 

Applicant respectfully asserts that Page 1 1 in Stevens only discloses 
demultiplexing in which "an Ethernet frame is received at the destination host [and] statts 
its way up the protocol stack [wliere] all the headers are removed by the appropriate 
protocol box." Clearly , such disclosure of demultiplexing does not even suggest a 
"protocol-specific module [that] processes each reassembled datagram based on an 
upper protocol layer employed by the reassembled datagram" (emphasis added), as 
claimed. 

In addition, as noted above with respect to the rejection of Claim 1, as relied on 
by the Examitier, Col. 13, littes 32-49 in Trcka merely discloses that a "Post-Capture 
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Processing Module 98 processes tlie packets based o« protocol-spedfic packet fields." 
Clearly, only generally disclosing a module that processes packets based on protocol 
specific packet fields, as in Trcka, fails to meet applicant's claimed '' protocol-specific 
module [that] processes each reassembled datagram based on an upper protocol layer 
employed by the reassembled datagram" (emphasis added), as claimed. 

To establish Si prima facie case of obviousness, three basic criteria must be met. 
First, there rau«^ be some suggestion or motivation, eitlier in the references themselves or 
\xi the knowledge generally available to one of ordmar\ skill m the att, to modify the 

jeteieiice us ro combaie reteieoce tetKhin„N Nocona rheje mu-^T be a lea'ionable 
CNpcctvUion of success hmalh th^ prsor n* rttv. tiv^ u^r tcfoicnccs when tonibnitd^ 
must tv.ach or snugesl all ih<. C \ >\\ \m <ru ts-. I he c<idnn^ oi sogue-^tion lo make the 
claimed combination and the reasonable expectation of success must both be found in the 
prior ait and not based on applicant's disclosure. /// te Vaeck,94'7 F.2d 48S, 20 USPQ2d 
1438(Fed.Cir.l991). 

Applicant fespectfully assens thai at least the third eiemeTri of the prima facte 
case of obviousness has not been met, since the prior art excerpts, as i^elied upon by the 
Examiner, fail to teach or suggest all of the claim limitations, as noted above. Thus, a 
notice of allowance or a proper prior art showing of all of applicant's claim limitations, in 
combination with the remaining claim elements, is respectfully requested. 

Applicant further notes that the prior art is also deficient with respect to the 
dependent claims. For example, with respect to dependent Claim 4 et ai., the E.Kaminer 
has relied on Col. 2, lines 16-24; Col. 3, lines 29-45; and Claim 7 in Cheriton to make a 
prior art showing of applicant's claimed tecltnique "wherein the antivirus scanner 
terminates the transient packet stream if the reassembled segment is not infected with at 
least one of a computer vims and malware." 

Speciilcaily, the Examiner has argued that Cheriton teaches '^generation and 
refinement of filters for stopping the attack packets, and forwarding these filters 
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tipslream." Applicant respectfdiy disagrees and asserts that stopping attack packets does 
not meet, and even leaches away Itom applicant's claimed technique "xyberein the 

antivirus scanner tenninates the transient packet stream if the reassembled segment is «ot 
infected with at least one of a computer vims and malware" {emphasis added), as 
claimed. 

In addition, applicant notes that the exceipte fiom Cheriton relied on by the 
Examiner merely disclose "filter[ing] harmful data" where "a netflow directoiy^ and flow 
anaK^er are used to detect harmful network f1o\s<« uhjch needs to he filtered' (Col 3, 
Une-i 34-42) and 'ireneiatioi: fhej lo pK^ s, s' i (.kt.ts ..oiiespondnv to said detected 
potentialiv hanntul networiv tlovs^ trom pa^MSK throuyh Naid second n^-'twork d^?\ice 
\i laim 7) Thus Chenton cleaily discloses niiermg haimlul data, and noi a technique 
"wherein the antivirus scanner terminates the transient packet stream if the reassembled 
se gment is not infected with at least one of a computer virus and malware" (emphasis 
added), as claimed. 

With respect to dependent (laim 55, the lixaminer has relied on Col. 14, lines 61- 
67 in Trcka to make a prior art showing of applicant's claimed technique "wherein the 
incoming datagrams include IP datagrams tliat are reassembled into TCP segments." 

Applicant respectfvjlly asserts timt tiie excerpt trom Trcka relied on by tlie 
Examiner only teaches that "[alny of a variety of knoxvn security checks can be 
perfonned on the packet data at this stage," such as performing "virus checking. . . on all 
incoming FTP (File Transfer Protocol) and HHP tiles from linkoown sites," Ciearly, 
only disclosing performing security checks on packet data, as in Trcka, fails to even 
suggest "incotmng datagrams include IP datagrams that are reassembled into TCP 
segments " as applicant claims. 

Agaiti, since at least tlie third element of the prima facie case of obviousness has 
not been met, as noted above, a notice of allowance or a proper prior art showing of all of 
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applicant's claim limitations, in combination with the remaimng claim elements, is 
respectfully requested. 

Still yet, applicant briirgs to the Examiner's attention the subject matter of new 
Claims 56-57 below, which are added for full consideration: 

"wherein Ae spoofed network packet spoofs an origin server by sending a 
legitimate packet in place of an infected packet" (see Claim 56); and 

"whereio each of the protocol-specific scanning snbmodules is used tor retrieving 
a re-assembled packet from an associated protocol-specitlc qiiene" (see Claim 57), 

Again, a notice of allowance or a proper prior art showing of all of applicant 's 
claim limitations, in combination witli the remaining claim elements, is respectfaliy 
requested. To this end, all of the independent claims are deemed allowable. Moreover, 
the remaining dependent claims are tXtrther deemed allowable, in view of their 
dependence on such independent claims. 

In the event a telephone conversation would expedite the prosecution of tiiis 
application, the Examiner may reach the undersigned at (408) 505-5100. The 
Commissioner is authorized to charge any additional fees or credit any overpayment to 
Deposit Account No. 50-1351 (Order No, NAIIP393). 

Respectfiiily submitted, 
Zilka-Kotab, PC 

/KEVINZILKA/ 

Kevin J. Ziika 
Registration No. 41,429 
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